#TwoFactorTuesday: Post Password Security is Here

The Yubikey, from Yubico, is an example of two factor authentication technology that adheres to FIDO specifications.

Yesterday was international #TwoFactorTuesday, a joint effort between National Cyber Security Alliance and the FIDO Alliance to raise awareness of strong online authentication. In addition to the online social media discussion under the events eponymous hashtag, two panel discussions were hosted by Google and broadcast live via YouTube. The result was a great case for optimism in the world of cyber security, something that is welcome in our current online landscape of sophisticated digital crime and massive corporate and government data breaches.

Among the standout moments of the security minded event took place at the end of the first panel, when FIDO executive director Brett McDowell posed the question: what challenges do the security experts on stage when trying to encourage post-password security?

Yubico’s Derek Hanson, in his response, outlined a very pressing issue of public perception – one that often goes overlooked in the digital identity industry.

“The biggest challenge that I personally face is making sure that people understand that they can start today,” said Hanson. “They think that this is stuff that is out there and maybe some day will become something that I can use. But it is there today and it is something that can be used by anyone – from my grandma all the way through people that are extremely technical. The idea that we can’t do anything to improve our own situation is a big challenge.”

Indeed, while major FIDO adopters such as Microsoft and Google have made major headway in making strong online authentication possible for end users across the globe, public perception is certainly still on the side of feeling that they are stuck with passwords for now. At the top of the discussion, Google’s Stephen Somogyi summarized why this is a problem: “Passwords suck. Just as a baseline, that’s where we started. And we realized quite a few years ago that they were irrevocably broken.”

Essentially, when it comes to modern cyber security, the password alternatives are in high demand but seem to lack the end user visibility that would otherwise lead to wider adoption. This is of course changing as companies, governments and other relying parties begin to offer strong authentication options, but there lies another obstacle – one addressed by the prominence of consortia like FIDO.

“The flip side to that is: corporations that I talk to are often scared of the effort to put in to deal with adding these capabilities,” said Hanson. “As somebody who has helped a lot of corporations do this, it’s not nearly as bad as you think. We can do this. These are solvable problems and there’s a whole alliance of companies like you who can walk you through their lessons learned so that it is not painful for you.”

The ultimate goal, says Hanson, is the building of a more secure internet for everyone. “The goal of Yubico and the subtitle under our name is to ‘Trust the Net,’” he said. “And the idea is that we need to have established enough of a foundation that you can begin to trust what is going on out there and we have a long road to climb to reestablish that trust.”

A recording of the full two hour event can be watched on YouTube. Stay posted to Mobile ID World as we continue to unpack these panels in celebration of National Cyber Security Month.